def test_extract_workspace__returns_sp_id_and_roles(get_app_sp_graph_data_mock):
get_app_sp_graph_data_mock.return_value = {
'value': [
{
'id': '12345',
'appRoles': [
{'id': '1abc3', 'value': 'WorkspaceResearcher'},
{'id': '1abc4', 'value': 'WorkspaceOwner'},
],
'servicePrincipalNames': [
"api://tre_ws_1234"
]
}
]
}
expected_auth_info = {
"sp_id": "12345",
"scope_id": "api://tre_ws_1234",
"app_role_id_workspace_owner": "1abc4",
"app_role_id_workspace_researcher": "1abc3"
}
access_service = AzureADAuthorization()
actual_auth_info = access_service.extract_workspace_auth_information(data={"client_id": "1234"})
assert actual_auth_info == expected_auth_info
def test_get_workspace_role_returns_correct_owner(get_user_role_assignments_mock, user: User, workspace: Workspace, expected_role: WorkspaceRole):
get_user_role_assignments_mock.return_value = user.roleAssignments
access_service = AzureADAuthorization()
actual_role = access_service.get_workspace_role(user, workspace, access_service.get_user_role_assignments(user.id))
assert actual_role == expected_role
def test_raises_auth_config_error_if_workspace_auth_config_is_not_set(_):
access_service = AzureADAuthorization()
user = User(id='123', name="test", email="*****@*****.**")
workspace_with_no_auth_config = Workspace(id='abc', etag='', templateName='template-name', templateVersion='0.1.0', resourcePath="test")
with pytest.raises(AuthConfigValidationError):
_ = access_service.get_workspace_role(user, workspace_with_no_auth_config, access_service.get_user_role_assignments(user.id))
def test_raises_auth_config_error_if_auth_info_has_incorrect_roles(_):
access_service = AzureADAuthorization()
user = User(id='123', name="test", email="*****@*****.**")
workspace_with_auth_info_but_no_roles = Workspace(
id='abc',
templateName='template-name',
templateVersion='0.1.0',
etag='',
properties={'sp_id': '123', 'roles': {}},
resourcePath="test")
with pytest.raises(AuthConfigValidationError):
_ = access_service.get_workspace_role(user, workspace_with_auth_info_but_no_roles, access_service.get_user_role_assignments())
def get_access_service(provider: str = AuthProvider.AAD) -> AccessService:
if provider == AuthProvider.AAD:
return AzureADAuthorization()
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail=strings.INVALID_AUTH_PROVIDER)
try:
return access_service.extract_workspace_auth_information(
workspace_creation_properties)
except AuthConfigValidationError as e:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail=str(e))
def get_access_service(provider: str = AuthProvider.AAD) -> AccessService:
if provider == AuthProvider.AAD:
return AzureADAuthorization()
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail=strings.INVALID_AUTH_PROVIDER)
get_current_tre_user = AzureADAuthorization(require_one_of_roles=['TREUser'])
get_current_admin_user = AzureADAuthorization(
require_one_of_roles=['TREAdmin'])
get_current_tre_user_or_tre_admin = AzureADAuthorization(
require_one_of_roles=['TREUser', 'TREAdmin'])
get_current_workspace_owner_user = AzureADAuthorization(
require_one_of_roles=['WorkspaceOwner'])
get_current_workspace_researcher_user = AzureADAuthorization(
require_one_of_roles=['WorkspaceResearcher'])
get_current_workspace_owner_or_researcher_user = AzureADAuthorization(
require_one_of_roles=['WorkspaceOwner', 'WorkspaceResearcher'])
def test_extract_workspace__raises_error_if_client_id_not_available():
access_service = AzureADAuthorization()
with pytest.raises(AuthConfigValidationError):
access_service.extract_workspace_auth_information(data={})
def test_extract_workspace__raises_error_if_graph_data_is_invalid(get_app_sp_graph_data_mock):
access_service = AzureADAuthorization()
with pytest.raises(AuthConfigValidationError):
access_service.extract_workspace_auth_information(data={"client_id": "1234"})
def test_extract_workspace__raises_error_if_researcher_not_in_roles(get_app_auth_info_mock):
access_service = AzureADAuthorization()
with pytest.raises(AuthConfigValidationError):
access_service.extract_workspace_auth_information(data={"client_id": "1234"})